b"U.S. Department of the Interior\nOffice of Inspector General\n\n\n\n\n            AUDIT REPORT\n\n\n      GENERAL CONTROLS OVER\n  AUTOMATED INFORMATION SYSTEMS,\n     OPERATIONS SERVICE CENTER,\n      BUREAU OF INDIAN AFFAIRS\n\n              REPORT NO. 97-I-771\n                  APRIL 1997\n\x0c             United States Department of the Interior\n                           OFFICE OF INSPECTOR GENERAL\n                                    Washington, D.C. 20240\n\n\nMEMORANDUM\n\nTO:\n\nFROM:\n                           Inspector General\n\nSUBJECT SUMMARY: Final Audit Report for Your Information - \xe2\x80\x9cGeneral Controls\n                 Over Automated Information Systems, Operations Service\n                 Center, Bureau of Indian Affairs\xe2\x80\x9d (No. 97-I-771)\n\nAttached for your information is a copy of the subject final audit report. The objective of our\naudit was to evaluate the adequacy of general controls over automated information systems\nat the Bureau of Indian Affairs Operations Service Center.\n\nWe found that the Bureau\xe2\x80\x99s general controls over its automated information systems at the\nCenter were not effective. Specifically, the Bureau did not: have an effective system security\nprogram and had not enforced personnel policies and procedures to ensure adequate system\nsecurity; classify its resources to determine the level of security necessary; monitor visitor\nactivities and perform adequate housekeeping to safeguard the mainframe computers and\nother peripheral devices and media; perform periodic reviews to ensure that users\xe2\x80\x99 access\nlevels to the mainframe computers were appropriate; ensure that the proper version of an\napplication was used in production; have segregation of duties for the systems support\nfunctions; have controls over system software to effectively detect and deter inappropriate\nuse; and have an effective means of recovering or of continuing computer operations in the\nevent of a system failure. We made 14 recommendations to improve management and\ninternal controls over the Bureau\xe2\x80\x99s automated information systems at the Center.\n\nThe Bureau concurred with 12 of the 14 recommendations, disagreed with 1\nrecommendation, and did not address 1 recommendation. Based on the response from the\nActing Assistant Secretary for Indian Affairs, we considered 12 recommendations resolved\nbut not implemented and two recommendations unresolved. We revised one of the\nunresolved recommendations and requested that the Bureau provide additional information\non the remaining recommendation, which the Acting Assistant Secretary had not addressed.\n\nIf you have any questions concerning this matter, please contact me at (202) 208-5745 or\nMr. Robert J. Williams, Assistant Inspector General for Audits, at (202) 208-4252.\n\n\n\nAttachment\n\x0c                                                                                    C-IN-BIA-009-96A\n\n\n            United States Department of the Interior\n                           OFFICE OF INSPECTOR GENERAL\n                                   Washington, D.C. 20240\n                                                     APR 3 0 1997\n\n                                 AUDIT REPORT\n\n\nMemorandum\n\nTo:        Assistant Secretary for Indian Affairs\n\nFrom:      Robert J. Williams\n           Assistant Inspector\n\nSubject:   Audit Report on General Controls Over Automated Information Systems,\n           Operations Service Center, Bureau of Indian Affairs (No. 97-I-771)\n\n                                 INTRODUCTION\nThis report presents the results of our audit of general controls over automated information\nsystems at the Bureau of Indian Affairs Operations Service Center. The objective of our audit\nwas to evaluate the adequacy of general controls over the Center\xe2\x80\x99s mainframe computer\nsystems and its processing environment in the areas of security program development, access,\nsoftware development and change management, segregation of duties, system software, and\nservice continuity.\n\nBACKGROUND\n\nThe Bureau\xe2\x80\x99s Operations Service Center is organizationally under the Bureau\xe2\x80\x99s Office of\nInformation Resources Management and is located in Albuquerque, New Mexico. The\nCenter provides computer services such as telecommunications, running applications, systems\nrecovery, and user support and is responsible for the Bureau\xe2\x80\x99s automated information systems\nsecurity. The Center operates all of the Bureau\xe2\x80\x99s major and sensitive mainframe applications\n(except for the Federal Financial System), such as the Land Records Information System and\nthe National Irrigation Information Management System, on an IBM mainframe computer.\nThe Center also operates major and sensitive mainframe applications of the Office of the\nSpecial Trustee for American Indians, such as the Individual Indian Monies System, on a\nUNISYS mainframe computer. The Center processes approximately 2.5 million transactions\nweekly.\n\nThe IBM computer is used as a link between many of the area and agency offices and the\nBureau\xe2\x80\x99s Federal Financial System, located in Reston, Virginia, and as a link to many of the\n\x0capplications residing on the UNISYS computer. However, during our review, the Bureau and\nthe Office of the Special Trustee were moving the applications that reside on the UNISYS\ncomputer to the IBM computer.\n\nSCOPE OF AUDIT\n\nWe reviewed the Bureau\xe2\x80\x99s general controls that were in place for its automated information\nsystems. Specifically, we reviewed the general controls at the Operations Service Center and\ngeneral controls, such as Bureau policies, that affected the Center\xe2\x80\x99s operations during fiscal\nyear 1996 and for the two months of fiscal year 1997 (through November 1996). We\nreviewed the controls for security program development, access, software development and\nchange control, segregation of duties, system software, and service continuity as they related\nto the two mainframe computers and to Center operations. However, we did not review the\ncontrols related to the UNISYS computer for software development and change management\nand system software because the UNISYS computer applications were being moved to\noperate on the IBM computer. To accomplish our objective, we reviewed the Bureau\xe2\x80\x99s\nautomated information system security program, interviewed Center personnel and\napplication owners and managers, reviewed systems documentation, observed and became\nfamiliar with Center operations, and analyzed system security.\n\nOur audit, which was conducted during August through December 1996, was made in\naccordance with the \xe2\x80\x9cGovernment Auditing Standards,\xe2\x80\x9d issued by the Comptroller General\nof the United States. Accordingly, we included such tests of records and other auditing\nprocedures that were considered necessary under the circumstances,\n\nAs part of our review, we evaluated the internal controls that could adversely affect the\nCenter\xe2\x80\x99s data processing environment. The control weaknesses that we found are discussed\nin the Results of Audit section of this report, If implemented, the recommendations should\nimprove the general controls.\n\nPRIOR AUDIT COVERAGE\n\nDuring the past 5 years, the General Accounting Office has not issued any reports related to\nthe Bureau\xe2\x80\x99s automated information systems. However, in December 1996, the Office of\nInspector General issued the audit report \xe2\x80\x9cStatement of Assets and Trust Fund Balances at\nSeptember 30, 1995, of the Trust Funds Managed by the Office of Trust Funds Management,\nBureau of Indian Affairs\xe2\x80\x9d (No. 97-I-96) which presented the results of an audit of the Trust\nFunds conducted by an independent public auditor. The independent public auditor reported\nthat material internal control weaknesses existed in computerized systems. Specifically, the\nindependent public auditor reported that: (1) the physical location of the two mainframes is\na \xe2\x80\x9chigh risk location\xe2\x80\x9d and that only \xe2\x80\x9cinformal arrangements\xe2\x80\x9d have been made with other\nGovernmental agencies to provide recovery services in the event of a disaster; (2) security\ncontrols over the UNISYS mainframe computer were \xe2\x80\x9cinadequate\xe2\x80\x9d because \xe2\x80\x9cthe system does\n\n                                              2\n\x0cnot require automatic password changes periodically, users are not automatically logged out\nafter a specified period of inactivity, and there is no limit to the number of invalid password\nattempts made by a user\xe2\x80\x9d; and (3) \xe2\x80\x9cchanges to the Individual Indian Monies (IIM) application\nare not performed in a test environment on the UNISYS mainframe\xe2\x80\x9d and \xe2\x80\x9cthere are no\nprocedures in place for subsequent review after changes have been implemented.\xe2\x80\x9d The report\ncontained recommendations for the Office of the Special Trustee for American Indians to\ncorrect these deficiencies. In its response, the Office said that these areas were the\nresponsibility of the Bureau of Indian Affairs and that it had provided, for the Deputy\nCommissioner of Indian Affairs consideration, a copy of the Internal Control Report which\nmade these recommendations. However, the Bureau was not provided an opportunity to\nrespond to the report. We found that the deficiencies relating to the scope of our current\naudit (the location of the two mainframe computers, recovery services, and security controls\nover the UNISYS computer) still existed, as discussed in the Results of Audit section of this\nreport.\n\n                                     RESULTS OF AUDIT\n\nWe concluded that the Bureau of Indian Affairs general controls over its automated\ninformation systems at the Operations Service Center were not effective. Specifically, an\neffective security program had not been implemented; controls over access, software\ndevelopment and changes, segregation of duties, and system software were inadequate; and\na service continuity plan had not been developed and implemented. Office of Management and\nBudget Circular A-130, \xe2\x80\x9cManagement of Federal Information Systems,\xe2\x80\x9d and National\nInstitute of Standards and Technology Federal Information Processing Standards Publications\nrequire Federal agencies to establish and implement computer security and management and\ninternal controls to protect sensitive information in the computer systems of executive branch\nagencies.1 Additionally, the Congress enacted laws, such as the Privacy Act of 1974 and the\nComputer Security Act of 1987, to improve the security and privacy of sensitive information\nin computer systems by requiring executive branch agencies to ensure that the level of\ncomputer security and controls is adequate. However, the Bureau had not complied with the\ncriteria in that it had not developed a formal, up-to-date, comprehensive system security\nprogram or established formal policies, standards, and procedures for computer operations.\nAdditionally, the security officer function was not at the appropriate organizational level, and\nadequate funding and personnel were not provided to fully support the Center\xe2\x80\x99s mission. The\ndeficient general controls significantly increased the risk of unauthorized access; modifications\nto and disclosure of sensitive data maintained in the Center\xe2\x80\x99s mainframe computers; theft or\ndestruction of hardware, software, and sensitive data; and the loss of critical systems and\nfunctions in the event of a disaster. In addition, the deficient controls decreased the reliability\nof the data maintained on the Center\xe2\x80\x99s computers.\n\n\n1\n The Computer Security Act of 1987 defines sensitive data as \xe2\x80\x9cany information the loss, misuse, or unauthorized\naccess to or modification of which could adversely affect the national interest or the conduct of Federal programs,\nor the privacy to which individuals are entitled under the Privacy Act.\xe2\x80\x9d\n\n                                                         3\n\x0cOverall, we identified 10 weaknesses and made 14 recommendations for improving\nmanagement and internal controls for the Bureau\xe2\x80\x99s automated information systems at the\nCenter. The weaknesses within the six major areas of system security, access, software\ndevelopment and change controls, segregation of duties, system software, and service\ncontinuity are provided in the following paragraphs, and specific details of the weaknesses and\nour respective recommendations to correct these weaknesses are in Appendix 1.\n\nSystem Security Program\n\nWe found that the Bureau did not have an effective system security program and had not\nenforced personnel policies and procedures to ensure adequate system security. As a result,\nthe Bureau increased the risk that mission-based, sensitive computer systems are not\nadequately protected and that sensitive data may be impaired or compromised by individuals,\nincluding individuals whose employment has been terminated or who have been transferred.\nWe made five recommendations to address these weaknesses.\n\nAccess Controls\n                                                                                                                    2\nWe found weaknesses in physical and logical access controls over the mainframe computers.\nSpecifically, the Bureau did not classify its resources to determine the level of security\nnecessary; monitor visitor activities and perform housekeeping hmctions periodically to\nsafeguard the mainframe computers, local area network (LAN) equipment, and daily backup\ntape libraries at the Center; perform periodic reviews to ensure that users\xe2\x80\x99 access levels to the\nmainframe computers were appropriate; and change passwords periodically for access to the\nUNISYS computer. As a result, the Bureau increased the risk of unauthorized access and\ndamage to and the destruction of mainframe computer hardware, software, and data. We\nmade five recommendations to address these weaknesses.\n\nSoftware Development and Change Controls\n\nWe found that sofiware development and change controls were inadequate to ensure that the\nproper version of an application was used in production. As a result, the Bureau increased\nthe risk of (1) security features being inadvertently or intentionally omitted or turned off and\n(2) irregularities or \xe2\x80\x9cmalicious codes\xe2\x80\x9d being introduced.3 We made one recommendation to\naddress this weakness.\n\n\n2Logical access involves the use of computer hardware and software to prevent or detect unauthorized access by\nrequiring users to input user identifications, passwords, or other identifiers that are linked to predetermined access\nprivileges.\n\n3The National Institute of Standards and Technology\xe2\x80\x99s handbook, \xe2\x80\x9cAn Introduction to Computer Security: The\nNIST Handbook,\xe2\x80\x9d defines \xe2\x80\x9cmalicious codes\xe2\x80\x9d as \xe2\x80\x9cviruses, worms, Trojan horses, logic bombs, and other \xe2\x80\x98uninvited\nsoftware.\xe2\x80\x9d\n\n                                                          4\n\x0cSegregation of Duties\n\nWe found that there was inadequate segregation of duties for the systems support functions\nin the areas of system design, application programming, systems programming, quality\nassurance/testing, library management, change management, data control, data security, and\ndata administration. As a result, the Bureau increased the risk of (1) implementing improper\nprogram changes and (2) damaging or destroying computer resources. We made one\nrecommendation to address this weakness.\n\nSystem Software\n\nWe found that the controls established over system software were not effective in detecting\nand deterring inappropriate use. Specifically, periodic reviews of the System Maintenance\nFacility logs and Resource Access Control Facility (RACF) reports were not performed,\naccess to the logs and to the RACF reports was not adequately controlled, and the RACF had\nnot been set up effectively. As a result, the Center incr,eased the risk of not detecting\nalterations through normal operating controls, We made one recommendation to address this\nweakness.\n\nService Continuity\n\nWe found that the Center did not have an effective means of recovering or of continuing\ncomputer operations in the event of a system failure or a disaster. Specifically, the Center did\nnot have a service continuity plan, and the off-site storage facility, which houses backup\ninformation such as software applications, databases, and data, was not located at least 1 mile\naway from the Center, was not secure, and was not environmentally protected. As a result,\nthe Center may not be able to recover or resume critical computer operations in the event of\na system failure or a disaster. We made one recommendation to address this weakness.\n\nBureau of Indian Affairs Response and Office of Inspector General Reply\n\nIn the March 19, 1997, response (Appendix 2) from the Acting Assistant Secretary for Indian\nAffairs to the draft report, the Bureau concurred with 12 of the draft report\xe2\x80\x99s 14\nrecommendations, disagreed with 1 recommendation, and did not specifically address 1\nrecommendation.\n\nIn its response to Recommendation A.2 in our draft report, the Bureau stated that the\nrecommendation \xe2\x80\x9cwould be appropriate\xe2\x80\x9d if the Bureau were to continue to operate mainframe\ndata processing.\xe2\x80\x9d The Bureau huther stated, \xe2\x80\x9cSince that function will be transferred to\nU.S.G.S. [U.S. Geological Survey], we believe that the Bureau Security Officer and his staff\nwill be able to manage the reduced security requirements of the Albuquerque OIRM [Office\nof Information Resources Management] site.\xe2\x80\x9d We agree that if the Bureau transfers the data\nprocessing function to the U.S. Geological Survey, the recommendation is not needed.\n\n                                               5\n\x0cTherefore, we have eliminated Recommendation A.2 from the final report and have\nrenumbered Recommendations A.3 and A.4 from our draft report accordingly. However, a\nseparate security function would be required at the Center should data be processed by the\nCenter after mainframe data processing ceases.\n\nRegarding Bureau plans for automated information systems, the Bureau stated that, because\nof the transfer of mainframe data processing from the Bureau to the U.S. Geological Survey\nbeginning in July 1997, the Office of Information Resources Management will be reorganized\nor positions will be redefined by October 1, 1997, and implemented by December 1, 1997.\nBecause of the transfer of mainframe data processing, according to the Bureau,\nrecommendations applicable to physical controls, user access, access to the UNISYS\ncomputer, segregation of duties, and systems software will be implemented through the\nactions taken as part of the conversion. The Bureau further stated that the information\nsystems security position \xe2\x80\x9cwill be elevated to report directly\xe2\x80\x9d to the Director, Ofice of\nInformation Resources Management, and that the security officer position will have authority\n\xe2\x80\x9cextending beyond headquarters operations.\xe2\x80\x9d The Bureau also identified the additional duties\nof the security officer.\n\nRegarding software development and change control, the Bureau said that it was \xe2\x80\x9cexpanding\nand documenting improved procedures\xe2\x80\x9d for controlling software development and changes\nto existing software.\n\nBased on the Bureau\xe2\x80\x99s response, we consider Recommendations A. 1, A.2, A.3, B. 1, C. 1,\nD. 1, D.2, E. 1, F. 1, G. 1, H. 1, and I. 1 resolved but not implemented. Accordingly, the\nunimplemented recommendations will be referred to the Assistant Secretary for Policy,\nManagement and Budget for tracking of implementation. Also, we request that the Bureau\nrespond to Recommendation J.l, which the Bureau did not specifically address. (See\nAppendix 3 .)\n\nAdditional Comments on Audit Report\n\nIn the response, the Bureau stated that Audit Report 97-I-90, which we identified in the Prior\nAudit Coverage section of our report, had not been \xe2\x80\x9cformally transmitted\xe2\x80\x9d to the Bureau of\nIndian Affairs by the Office of Inspector General and that the Bureau was not provided an\nopportunity to respond to the report. The Bureau requested that this fact be noted, and we\nhave revised our report accordingly. As previously stated, however, the Office of the Special\nTrustee for American Indians, to whom Audit Report 97-I-90 was issued, advised that it\nprovided a copy of the report to the Deputy Commissioner of Indian mairs for consideration.\nNeither this fact nor the fact that the audit report identified weaknesses in the Bureau\xe2\x80\x99s\ninformation systems was disputed in the Bureau\xe2\x80\x99s response to this report.\n\nAlso, the Bureau said that specific pages of our report \xe2\x80\x9cwould lead the reader to assume that\nBureau management was solely responsible for the funding and staffing deficiencies within\n\n                                              6\n\x0cthe Office of Information Resources Management which directly contributed to the control\nweaknesses identified in the report,\xe2\x80\x9d even though the Congress \xe2\x80\x9cdenied\xe2\x80\x9d requested fiscal year\n1996 funding increases for the Bureau\xe2\x80\x99s Central Office and reduced the fiscal year 1996\nfunding level \xe2\x80\x9cby approximately 25 percent below\xe2\x80\x9d the fiscal year 1995 level. We agree that\nthe Congress reduced the Bureau\xe2\x80\x99s tinding level; however, it did not specifically identity the\nfunctions within the Central Office that Bureau management should reduce. Considering that\nthe Bureau recognized that \xe2\x80\x9cprevious Departmental reviews had determined that OIRM\n[Office of Information Resources Management] was significantly underfunded at the pre-1996\nlevels,\xe2\x80\x9d we believe that the Bureau\xe2\x80\x99s decision not to reallocate funding to the Office of\nInformation Resources Management contributed to the weaknesses identified in our report.\n\nThe Bureau also requested that, if the \xe2\x80\x9cmultiple\xe2\x80\x9d recommendations in our report relating to\nphysical controls, user access, access to the UNISYS computer, segregation of duties, and\nsystem software are referred for tracking of implementation, they should be consolidated into\none recommendation: \xe2\x80\x9cmigration of mainframe data processing to U.S.G.S. [U. S Geological\nSurvey] \xe2\x80\x9d However, we cannot comply with this request. While we agree that\nimplementation action of \xe2\x80\x9cconversion of the mainframe data processing to the U.S.G.S. host\ncomputer\xe2\x80\x9d would be the first step in correcting the problems identified, other corrective\nactions are needed to fully implement the multiple recommendations. We therefore will refer\nall of the recommendations separately for tracking of implementation.\n\nIn accordance with the Departmental Manual (360 DM 5.3) we are requesting a written\nresponse to this report by May 30, 1997. The response should provide the information\nrequested in Appendix 3.\n\nThe legislation, as amended, creating the Office of Inspector General requires semiannual\nreporting to the Congress on all audit reports issued, actions taken to implement audit\nrecommendations, and identification of each significant recommendation on which corrective\naction has not been taken.\n\nWe appreciate the assistance of Bureau personnel in the conduct of our audit.\n\n\n\n\n                                              7\n\x0c                                                                                      APPENDIX 1\n                                                                                       Page 1 of 17\n\n    DETAILS OF WEAKNESSES AND RECOMMENDATIONS\n\n SYSTEM SECURITY PROGRAM\n\nA. System Security Program\n\nCondition:      During fiscal year 1996, the Center did not have a documented security\n                implementation plan for the Bureau\xe2\x80\x99s automated information systems.\n                Although the Center had developed a security implementation plan by\n                November 1996, the plan did not meet the detailed requirements of Office of\n                Management and Budget Circular A-130, Appendix III, \xe2\x80\x9cSecurity of Federal\n                Automated Information Systems.\xe2\x80\x9d For example:\n\n                     - Although users were provided written information about system\n                 security issues when access to computer systems and applications was\n                 approved, the Center did not have an employee computer security awareness\n                 training plan in effect. Further, the security staff had not provided periodic\n                 computer security training to Bureau area and agency offices and other\n                 organizations, such as schools.\n\n                     - Risk assessments had not been performed periodically or had not been\n                 performed when systems, facilities, or other conditions changed. Specifically,\n                 since 1990, only two risk assessments had been performed: a risk assessment\n                 of the Center\xe2\x80\x99s previous mainframe configuration was performed in 1990, and\n                 a risk assessment of the LANs of the Albuquerque Central Offices was\n                                      1\n                 performed in 1996. While we determined that these assessments were\n                 adequate, we also determined that the Center had not implemented\n                 recommendations from the risk assessments,\n\n                     - Assessments of the system security program\xe2\x80\x99s effectiveness were not\n                 performed periodically. Also, the system security program was not reviewed\n                 under the Federal Managers\xe2\x80\x99 Financial Integrity Act annual review process.\n\n\n\n1\nThe Central Offices are administrative offkes such as the Operations Service Center and the Division of\nAccounting Management. The Bureau has Central Offkes in Washington, D.C., and in Albuquerque, New\nMexico.\n\n                                                  8\n\x0c                                                                           APPENDIX 1\n                                                                            Page2of17\n\nSYSTEM SECURITY PROGRAM\n\n\n               - Major systems and applications were not always accredited by the\n            managers whose missions they supported.\n\nCriteria:   The Computer Security Act requires Federal agencies to develop and\n            implement plans to safeguard systems that maintain sensitive data. Also,\n            Office of Management and Budget Circular A-l 30, Appendix III, details what\n            should be safeguarded by a system security program and what should be\n            included in the security implementation plan. Additionally, the National\n            Institute of Standards and Technology\xe2\x80\x99s handbook, \xe2\x80\x9cAn Introduction to\n            Computer Security: The NIST Handbook,\xe2\x80\x9d describes a system security\n            program as a program that includes security policies and a related security\n            implementation plan. According to the handbook, the system security\n            program should establish a framework for assessing risk, developing and\n            implementing effective security procedures, and monitoring the effectiveness\n            of these procedures.\n\nCause:      Because the Bureau\xe2\x80\x99s automated information system security function was\n            within the Center, the function did not have adequate independence and\n            authority to implement and enforce a Bureauwide system security program.\n            The security staff consisted only of the automated information security officer\n            and another staff person. Most of their time was spent in administering\n            security at the Center and administering user access to the computer systems.\n            Additionally, the 1996 risk assessment recommended that the system security\n            function be directly responsible to the Commissioner, Bureau of Indian\n            Affairs, which had not been accomplished by the end of our review.\n            However, we believe that, at a minimum, the position should be elevated to\n            report directly to the Director, Office of Information Resources Management.\n\nEffect:     The lack of an effective system security program prevents assurance that\n            established controls can be relied upon to protect mission-based, sensitive\n            computer systems.\n\n\n\n\n                                           9\n\x0c                                                                            APPENDIX 1\n                                                                             Page 3 of 17\n\nSYSTEM SECURITY PROGRAM\n\nRecommendations:\n\nWe recommend that the Assistant Secretary for Indian AfIairs ensure that:\n\n     1. The automated information system security function is elevated organizationally to\nat least report directly to the Director, Office of Information Resources Management; is\nformally provided with authority to implement and enforce a Bureauwide system security\nprogram; and is provided staff to perform the required duties, such as providing computer\nsecurity awareness training and performing periodic risk assessments.\n\n     2. A system security program is developed and documented which includes the\ninformation required by the Computer Security Act of 1987 and Office of Management and\nBudget Circular A-130, Appendix III, and that policies and procedures are implemented to\nkeep the system security program current.\n\n     3. The Bureau\xe2\x80\x99s security personnel perform risk assessments of the Bureau\xe2\x80\x99s automated\ninformation systems environment and, as appropriate, provide assurance that the necessary\nchanges are implemented to manage the risks identified.\n\n\n\n\n                                            10\n\x0c                                                                              APPENDIX 1\n                                                                               Page 4 of 17\n\nSYSTEM SECURITY PROGRAM\n\nB. Personnel Security Policies and Procedures\n\nCondition:   Personnel security policies and procedures were not adequate. Specifically:\n\n                 - Personnel in sensitive or critical ADP positions, such as system\n             programmers and application programmers (including application\n             programmers not assigned to the Center), did not have documented\n             background investigations for security clearances or did not have security\n             clearances at a level commensurate with their positions.\n\n                 - Although the IBM computer had been set to automatically revoke a\n             user identification (ID) after 180 days of inactivity, supervisors did not notify\n             the application owner or manager or the Center\xe2\x80\x99s security staff to revoke and\n             delete a user ID when an employee\xe2\x80\x99s employment was terminated or an\n             employee was transferred.\n\nCriteria:    Office of Management and Budget Circular A-130, Appendix III, requires\n             agencies to establish and manage personnel security policies, standards, and\n             procedures that include requirements for: (1) screening individuals who\n             participate in the design, development, operation, or maintenance of sensitive\n             applications or who have access to sensitive data and (2) ensuring that access\n             to computer systems is removed when employees terminate their employment\n             or when employees are no longer in positions requiring such access.\n             Additionally, the Departmental Manual (DM 441, \xe2\x80\x9cPersonnel Suitability and\n             Security Requirements\xe2\x80\x9d) requires that background investigations be performed\n             for security clearances before employees are placed in sensitive or critical\n             ADP positions and that subsequent investigations be performed based upon\n             the sensitivity or the criticality of the position.\n\nCause:       The Bureau had established procedures for requiring background\n             investigations for ADP positions that were sensitive and critical. However,\n             the procedures were not implemented or enforced. Further, we did not find\n             formal policies or procedures, such as requiring the deletion of the user ID\n             from the security database during the exit clearance process, that required\n             supervisors to not@ the application owner or manager or Center security staff\n\n\n                                            11\n\x0c                                                                              APPENDIX 1\n                                                                               Page 5 of 17\n\nSYSTEM SECURITY PROGRAM\n\n               when employees\xe2\x80\x99 employment was terminated or an employee was\n               transferred.\n\nEffect:        Without adequate security-related personnel policies, the Bureau increases the\n               risk that system operations and data could be impaired or compromised by\n               individuals or by employees whose employment has been terminated or who\n               have been transferred.\n\nRecommendation:\n\nWe recommend that the Assistant Secretary for Indian Affairs ensure that personnel security\npolicies and procedures are developed, implemented, and enforced, including those for\nobtaining appropriate security clearances for personnel in sensitive or critical ADP positions\nand for informing the security staff, in writing, whenever employees who are system users\nterminate their employment or are transferred.\n\n\n\n\n                                              12\n\x0c                                                                                APPENDIX 1\n                                                                                 Page 6 of 17\n\nACCESS CONTROLS\n\nC. Resource Classification\n\nCondition:     The Bureau had not classified its computer resources to determine the level\n               of security that should be provided by the Center.\n\nCriteria:      The Computer Security Act requires agencies to identify systems that process\n               sensitive data. Additionally, Office of Management and Budget Circular A-\n               130, Appendix III, directs Federal agencies to assume that all major systems\n               contain some sensitive information that needs to be protected but to focus\n               extra security controls on a limited number of particularly high-risk or major\n               applications.\n\nCause:         Bureau policies did not specify that: (1) information resources should be\n               classified; (2) resource classification categories should be based on the need\n               for protective controls; (3) senior-level management should review and\n               approve resource classifications; and (4) determinations of resource\n               classifications should be documented. Additionally, classification of the\n               information resources could not be achieved because a risk assessment (which\n               identifies threats, vulnerabilities, and the potential negative effects that could\n               result from disclosing confidential data or from not protecting the integrity of\n               data supporting critical transactions or decisions) had not been performed\n               recently on the mainframe computer applications and system software.\n\nEffect:        If information resources are not classified according to their criticality and\n               sensitivity, there is no assurance that the Center was providing the most cost-\n               effective means to protect the computer resources.\n\nRecommendation:\n\nWe recommend that the Assistant Secretary for Indian Affairs develop and implement policies\nto classify the Bureau\xe2\x80\x99s computer resources in accordance with the results of periodic risk\nassessments and guidance contained in Office of Management and Budget Circular A-130,\nAppendix III.\n\n\n\n\n                                              13\n\x0c                                                                           APPENDIX 1\n                                                                            Page7of17\n\nACCESS CONTROLS\n\nD. Physical Controls\n\nCondition:   Physical controls, such as monitoring physical access to the Center and\n             performing housekeeping functions for the computer operations room that\n             houses the mainframe computers, LAN equipment, and daily backup tape\n             libraries, were not adequate. For example:\n\n                 - The Center was located within a Federal building (which also houses\n             U.S. Courts) that allows unauthorized individuals access to the Center. To\n             ensure that the Center and its resources were safeguarded, physical access to\n             the Center was achieved by electronic keycards, and access into the Center\n             was monitored by video cameras. However, visitors, such as custodial\n             (contractor) personnel and building managers, had been provided the keycards\n             and therefore had unmonitored access while in the Center.\n\n                 - General housekeeping and maintenance of the computer operations\n             room were performed only weekly. This weekly schedule was inadequate\n             because of the failure to remove potential fire hazards caused by combustible\n             supplies and by dust produced by paper used in the printer, which was also\n             housed in the computer operations room.\n\nCriteria:    The Department of the Interior Automated Information Systems Security\n             Handbook, when addressing control for personnel access to computer\n             facilities, states:\n\n                 Access by visitors, equipment maintenance personnel, and other\n                 individuals not directiy involved with managing or operating a\n                 sensitive AIS [automated information system] installation will be\n                 controlled by individual authorization. It is recognized that\n                 different procedures and restrictions will be required for various\n                 categories of visitors; however, all access by other than assigned\n                 personnel will be monitored.\n\n             Additionally, the Handbook states that \xe2\x80\x9cwithin the facility, good housekeeping\n             and operating procedures are prerequisite to maintaining a noncombustible\n\n\n                                           14\n\x0c                                                                                 APPENDIX 1\n                                                                                  PageSof\n\nACCESS CONTROLS\n\n               environment\xe2\x80\x9d and that operations such as \xe2\x80\x9cbursting and collating,\xe2\x80\x9d which\n               increase the potential for tire, should be restricted.\n\nCause:         The Center was understaffed; therefore, Center personnel were not able to\n               adequately monitor the activities of visitors. Also, the Bureau had reduced\n               funding available to the Center; therefore, more frequent housekeeping\n               services could not be obtained.\n\nEffect:        The deficient physical controls increased the risk of unauthorized access and\n               damage to and destruction of sensitive hardware, software, and data.\n\nRecommendations:\n\nWe recommend that the Assistant Secretary for Indian Affairs ensure that:\n\n     1. Sufficient staff are provided to adequately monitor all visitor activities.\n\n     2. Funding is provided for adequate maintenance of the computer operating room, such\nas providing daily housekeeping services, or that fire-producing equipment and supplies are\nremoved from the computer room.\n\n\n\n\n                                               15\n\x0c                                                                             APPENDIX 1\n                                                                              Page 9 of 17\n\nACCESS CONTROLS\n\nE. User Access\n\nCondition:     Security staff and application owners did not periodically review user access\n               authorizations to ensure that users\xe2\x80\x99 levels of access to the mainframe\n               computers were appropriate.\n\nCriteria:      The Center\xe2\x80\x99s policy requires security staff to obtain written documentation\n               from supervisory personnel and approval from application owners or\n               managers before allowing users access to the mainframe computers.\n\nCause:         The Center\xe2\x80\x99s policy did not require periodic reviews of users\xe2\x80\x99 access\n               authority. In addition, the security function was understaffed and would not\n               have been able to adequately perform the periodic reviews. Further, although\n               RACF had been set up to automatically revoke user IDS after 180 days of\n               inactivity, the IDS were not deleted from RACF because the security staff did\n               not receive written notifications when employees terminated their employment\n               or were transferred.\n\nEffect:        The Center had no assurance that user access was assigned at the appropriate\n               level. Additionally, the Center increased the risk of unauthorized access and\n               damage to and destruction of computer hardware, software, and data because\n               of the time period between when an employee leaves and when the\n               employee\xe2\x80\x99s access is automatically deleted.\n\nRecommendation:\n\nWe recommend that the Assistant Secretary for Indian Affairs ensure that policies are\ndeveloped and implemented which match personnel files with system users periodically, that\nuser IDS are deleted from the system for users whose employment has been terminated, and\nthat verification and approval are obtained from user supervisors and application owners or\nmanagers that the levels of access are appropriate.\n\n\n\n\n                                             16\n\x0c                                                                             APPENDIX 1\n                                                                             Page IO of 17\n\nACCESS CONTROLS\n\nF. Access to the UNISYS Computer\n\nCondition:    Passwords were not changed periodically, and inactive user IDS were not\n              automatically revoked on the UNISYS computer. Additionally, greater\n              reliance had to be placed on the user ID and password controls to protect the\n              applications, files, and data because the applications residing on the UNISYS\n              computer were developed without access controls and could not be modified\n              to install the access controls,\n\nCriteria:     The Department of the Interior\xe2\x80\x99s \xe2\x80\x9cAutomated Information Systems Security\n              Handbook\xe2\x80\x9d recommends that passwords be changed every 90 days. Also,\n              generally accepted industry standards recognize that passwords should be\n              changed every 60 to 90 days for users who do not have sensitive privileges\n              and every 30 days for users who do have sensitive privileges.\n\nCause:         The Center has not acquired a security access control software package that\n               can automatically require password changes and automatically revoke user\n               IDS because the applications running on the UNISYS computer are to be\n               moved to the IBM computer.\n\nEffect:        The effectiveness of the password as a control has been diminished, which\n               increases the risk of unauthorized access to sensitive production information\n               that resides on the UNISYS computer through password disclosure.\n\nRecommendation:\n\nWe recommend that the Assistant Secretary for Indian Alfairs ensure that a higher priority\nis given to moving the applications that reside on the UNISYS computer to the IBM\ncomputer.\n\n\n\n\n                                            17\n\x0c                                                                              APPENDIX 1\n                                                                              Page 11 of 17\n\nSOFTWARE DEVELOPMENT AND CHANGE CONTROL\n\nG. Software Development and Change Control\n\nCondition:     The software development and change control was inadequate to ensure that\n               the proper version of an application was used in production. Based on our\n               test of the National Irrigation Information Management System, which was\n               managed by the Bureau\xe2\x80\x99s Irrigation and Power Liaison and Control Section,\n               we found that the application programmers not only programmed the\n               application but also tested, authorized, and approved the movement of the\n               modified programs from test or development into production. In addition, the\n               lead programmer was not made aware of software modifications. Further,\n               one member of the Center\xe2\x80\x99s systems staff could also move application\n               software changes from test or development into production without the lead\n               programmer\xe2\x80\x99s approval.\n\nCriteria:      The Departmental Manual (DM 385) describes system development life cycle\n               management processes and change management controls. The Manual\n               requires that a procedure be in place for approval and acceptance of changes\n               and that a group or an individual be \xe2\x80\x9cresponsible for ensuring that all changes\n               have been properly evaluated.\xe2\x80\x9d\n\nCause:         The Bureau had not identified who was responsible and accountable for\n               controlling application software development and changes.\n\nEffect:        The Bureau increased the risk that security features could be inadvertently or\n               intentionally omitted or turned off or that processing of irregularities or\n               malicious codes could be introduced. For example, the incorrect version of\n               a program could be implemented, which could perpetuate outdated or\n               erroneous processing.\n\nRecommendation:\n\nWe recommend that the Assistant Secretary for Indian Affairs ensure that policies and\nprocedures are developed and implemented which clearly identify the individuals responsible\nand accountable for application development and changes.\n\n\n\n                                             18\n\x0c                                                                            APPENDIX 1\n                                                                            Page 12 of 17\n\nSEGREGATION OF DUTIES\n\nH. Segregation of Duties\n\nCondition:   The duties for the systems support tunctions of system design, application\n             programming, systems programming, quality assurance/testing, library\n             management, change management, data control, data security, and data\n             administration were not adequately segregated between different individuals.\n             Specifically, we found that:\n\n                 - System design, systems programming, data security, and data\n             administration were accomplished or could be accomplished by one\n             system programmer.\n\n                - Quality assurance/testing, change management, data security, and data\n             administration could be performed by one system programmer.\n\n                 - Quality assurance/testing, change management, and data administration\n             could be performed by the National Irrigation Information Management\n             System application programmers.\n\n                - Library management and computer operations were performed by the\n             computer operators.\n\nCriteria:    Effective segregation of duties requires that each systems support function be\n             performed by a different individual, thus ensuring that no one individual\n             controls all critical stages of a process.\n\nCause:       Center staffing was not sufficient to the extent that the segregation of duties\n             could be adequately distributed. Center officials stated that, because of the\n             Bureau\xe2\x80\x99s reduced budgetary resources, they were not able to fully staff the\n             Center. However, we observed that in some of the functions, such as in\n             applications programming, the staff were underutilized and that in other\n             functions, the staff, such as computer operators, were utilized to the extent\n             that the personnel were required to work overtime to ensure that this function\n             was carried out.\n\n\n\n                                           19\n\x0c                                                                          APPENDIX 1\n                                                                          Page 13 of 17\n\nSEGREGATION OF DUTIES\n\nEffect:       The lack of segregation of duties increases the risk that improper program\n              changes could be implemented and that computer resources could be damaged\n              or destroyed.\n\nRecommendation:\n\nWe recommend that the Assistant Secretary for Indian Affairs ensure that staffing at the\nCenter is evaluated and adjusted so that duties for critical system support functions are\nadequately segregated and fully utilized.\n\n\n\n\n                                           20\n\x0c                                                                              APPENDIX 1\n                                                                              Page 14 of 17\n\nSYSTEM SOFTWARE\n\nI. System Software Controls\n\nCondition:   The controls established over system software were not effective in detecting\n             and deterring inappropriate use. Specifically:\n\n                 - Periodic reviews of the System Maintenance Facility logs and RACF\n             access reports were not performed by the security staff to monitor system\n             activities. Additionally, the security staff produced reports that identified\n             users and the computer resources accessed; however, the staff had not\n             produced or used the primary \xe2\x80\x9cauditing\xe2\x80\x9d or monitoring reports that could be\n             used in monitoring system activities,\n\n                 - One system programmer had \xe2\x80\x9calter\xe2\x80\x9d access to system software, the\n             System Maintenance Facility logs, and RACF logs. With this access, the\n             programmer could alter the logging of his activities, as well as any other user\n             activities. Thus the audit trails of system activities could be impaired or\n             destroyed.\n\n                  - RACF can be used to establish controls and monitor access to the\n             computer resources. However, RACF had not been set up to effectively\n             control access to the system resources. We found that one of the \xe2\x80\x9cstart\n             procedures\xe2\x80\x9d had been assigned the PRIVILEGED attribute. With this\n             attribute, the started task can bypass all verification processing, including the\n             security classification checks, and therefore affect the overall security of the\n             system. Additionally, with the PRIVILEGED attribute, no logging or audit\n             trail of this task was available. Further, no datasets, including the system\n             parameter library, linklist libraries, master catalog, and the primary and backup\n             files, were protected by RACF.\n\nCriteria:    Office of Management and Budget Circular A-130, Appendix III, requires that\n             adequate audit trails exist so that an adverse impact on general support\n             systems can be prevented or detected. Also, Federal Information Processing\n             Publication 41, \xe2\x80\x9cComputer Security Guidelines for Implementing the Privacy\n             Act of 1974,\xe2\x80\x9d provides guidelines for system security and addresses the\n             importance of having audit trails of all system activity.\n\n\n                                            21\n\x0c                                                                              APPENDIX 1\n                                                                              Page 15 of 17\n\nSYSTEM SOFTWARE\n\nCause:         Because the system programmer was responsible for setting up the IBM\n               computer, the Center continued to rely solely on the programmer\xe2\x80\x99s expertise\n               to ensure that the system was operating. Additionally, the security staff did\n               not fully utilize RACF capabilities to monitor system programmer and system\n               access activities.\n\nEffect:        The Center increased the risk of having the computer operating system and\n               other computer resources altered without authorization and of not detecting\n               the alteration through normal operating controls.\n\nRecommendation:\n\nWe recommend that the Assistant Secretary for Indian AtIairs ensure that access and activities\nof the Center\xe2\x80\x99s system programmer are controlled and monitored by security staff and that\nRACF controls are established to protect system resources.\n\n\n\n\n                                              22\n\x0c                                                                               APPENDIX 1\n                                                                               Page 16 of 17\n\nSERVICE CONTINUITY\n\nJ. Service Continuity\n\nCondition:   The Center did not have an effective means to recover or to resume computer\n             operations in the event of a system failure or a disaster. Although the Center\n             has begun developing a service continuity plan for fiscal year 1997, the Center\n             did not have a service continuity plan in place. Additionally, the off-site\n             storage facility was not located at least 1 mile from the Center, and the facility\n             did not adequately safeguard information and data stored from unauthorized\n             access and environmental hazards such as heat or humidity.\n\nCriteria:    Office of Management and Budget Circular A-130, Appendix III, requires\n             agencies to establish a comprehensive contingency plan and to periodically\n             test the capability to perform the agency function supported by the\n             application, as well as critical telecommunications links, in the event of a\n             disaster or system failure. In order to accurately and successfully test the\n             disaster recovery capabilities, the disaster recovery plan needs to be updated\n             as changes occur. Additionally, the National Institute of Standards and\n             Technology\xe2\x80\x99s handbook,\xe2\x80\x9cAn Introduction to Computer Security: The NIST\n             Handbook,\xe2\x80\x9d recognizes that a comprehensive disaster recovery plan is\n             necessary to ensure the timely recovery of all business functions and the\n             systems environment, which is critical for day-to-day operations and to\n             minimize downtime. The Department of the Interior\xe2\x80\x99s \xe2\x80\x9cAutomated\n             Information Systems Security Handbook\xe2\x80\x9d mandates off-site storage \xe2\x80\x9cfor all\n             AIS [automated information systems] installations providing critical support\n             to the organization\xe2\x80\x99s missions.\xe2\x80\x9d In addition, the National Institute of\n             Standards and Technology\xe2\x80\x99s handbook states that a primary contingency\n             strategy for applications and data is storage at a secure off-site facility.\n             According to the handbook, the secure off-site storage facilities should be\n             physically and environmentally protected to prevent unauthorized individuals\n             from access and to protect data from heat, cold, or harmful magnetic fields\n             and should be located at least 1 mile from the installation.\n\n\n\n\n                                            23\n\x0c                                                                             APPENDIX 1\n                                                                             Page 17 of 17\n\nSERVICE CONTINUITY\n\nCause:         The Bureau did not ensure that necessary funding was provided to the Center\n               to develop a contingency plan and to acquire or contract for an adequate off-\n               site storage facility. Before fiscal year 1996, the Center had a contractor-\n               developed contingency plan, and the contractor was responsible for\n               performing disaster recovery tests, However, in fiscal year 1996, the Bureau\n               decreased Center funding, and the contract was not continued. At the time\n               of our review, the Center was negotiating for the acquisition of a computer\n               site from which to perform disaster recovery testing.\n\nEffect:        The Center increased the risk of being unable to recover and resume critical\n               operations should the system fail or disasters occur.\n\nRecommendation:\n\nWe recommend that the Assistant Secretary for Indian Atfairs ensure that a contingency plan\nis developed and tested and that funding is provided for acquiring a secure off-site storage\nfacility.\n\n\n\n\n                                             24\n\x0c                                                                                          APPENDIX 2\n                                                                                          Page 1 of 4\n\n\n                 United States Department of the Interior\n\n\n\n\nMemorandum\n\nTo:             Assistant Inspector General for Audits\n\nFrom:           Acting Assistant Secretary - Indian Affairs\n\nSubject:        Draft Audit Report, \xe2\x80\x9cGeneral Controls Over Automated Information Systems,\n                Bureau of Indian Affairs,\xe2\x80\x9d (Assignment No. C-IN-BIA-009-96A)\n\nThe subject audit reviewed the general controls for the automated information systems, specifically\nthose in place at the Operations Service Center in Albuquerque, NM. We request that a section of\nthe Draft Report on prior audit coverage be modified, as indicated below and that information be\nadded to the final report regarding the Bureau\xe2\x80\x99s budget situation.\n\nPrior Audit Coverage\n\nThe identification or prior audit coverage includes only, the \xe2\x80\x9cStatement of Assets and Trust Fund\nBalances at September 30, 1995, of the Trust Funds Managed by the Office of Trust Funds\nManagement, Bureau of Indian Affairs,\xe2\x80\x9d (No. 97-I-96). While we do not dispute the fact that this\naudit identified weaknesses in our information systems, we would note that the audit findings were\nnever formally transmitted to Indian Affairs, as the Office of Trust Funds Management was no\nlonger part of the Bureau of Indian Affairs when the report was issued; indeed, the Office of\nInspector General issued the audit which contained recommendations for action by the Bureau of\nIndian Affairs without either notifying us or allowing us the opportunity to respond. In view of the\nfact that normal procedures were not followed by the Office of Inspector General with respect to this\nreport, we suggest that, at a minimum, this report identify the fact that the BIA was not provided an\nopportunity to respond to the report.\n\nFunding and Staffing for the Center\n\nIn a number of places, the report would lead the reader to assume that Bureau management was\nsolely responsible for the funding and staffing deficiencies within the Office of Information\nResources Management which directly contributed to the control weaknesses identified in the report.\nFor example: \xe2\x80\x9c. . . adequate funding and personnel were not provided to fully support the Center\xe2\x80\x99s\nmission\xe2\x80\x9d (p. 6); the system security program be \xe2\x80\x9cprovided staff to perform the required duties\xe2\x80\x9d (p.\n13); \xe2\x80\x9cThe Center was understaffed. . .\xe2\x80\x9d ( p. 18); \xe2\x80\x9c. . . the Bureau had reduced funding available to\nthe Center. . .\xe2\x80\x9d (p. 18); \xe2\x80\x9c. . . the security function was understaffed. . .\xe2\x80\x9d (p. 19); \xe2\x80\x9cCenter staffing was\nnot sufficient to the extent that the segregation of duties could be adequately distributed\xe2\x80\x9d (p. 22); and\n\xe2\x80\x9cThe Bureau did not ensure that necessary funding was provided to the Center. . .\xe2\x80\x9d (p.26).\n\n\n                                                  25\n\x0c                                                                                         APPENDIX 2\n                                                                                         Page 2 of 4\n\n\nAs part of its action on the FY 1996 budget request, Congress denied all funding increases for\nCentral Office; required the full absorption of pay cost increases; and also reduced funding for all\nBIA Central Office operations by approximately 25 percent below the FY 1995 level. This impacted\nall Central Office operations. The Center was particularly hard hit, because as the second largest\nheadquarters office, their pay absorption was over $800,000. Previous Departmental reviews had\ndetermined that OIRM was significantly underfunded at the pre- 1996 levels. In fact, the FY 1996\nbudget request had included a total increase over the FY 1995 level of $3.5 million. The net result\nof the Congressional actions was that the Office of Information Resources Management was left with\nless than 60 percent of the resources that had been identified in the FY 1996 budget request.\n\nWe request that the report be revised to reflect the fact that it was action taken by Congress in cutting\nthe budget request, not management decisions of the Bureau, that resulted in the severe shortage of\nstaffing and funding for the Office of Information Resources Management.\n\nCurrent Bureau Plans for Automated Information Systems\n\nIn accordance with the Administration\xe2\x80\x99s goal to reduce the number of computer operations centers\nacross the Federal Government (OMB Bulletin #96-02, Consolidation of Agency Data Centers), the\nBureau has been directed by DO1 to enter into an agreement with the U.S. Geological Survey to\nmigrate all of the mainframe data processing to their host computer in Reston. The target date for\ncompletion of the transfer is December 1, 1997. In our discussions with OIG staff during and\nsubsequent to the exit conference, it was generally agreed that in the pending transfer would be\nresponsive to all of the recommendations contained in the audit with the exception of system\nsecurity, personnel security, resource classification, and software development and change control.\nThese recommendations are separately addressed in our response.\n\nThe\xe2\x80\x99 Bureau agrees with the recommendations contained in the draft audit report on Physical\nControls, User Access, Access to the UNISYS Computer, Segregation of Duties, and System\nSoftware. The action that will be taken to implement these recommendations is the conversion of\nthe mainframe data processing to the U.S.G.S. host computer. The conversion tasks that have been\nidentified and the schedule for completion of the tasks is attached. Mr. Ed Socks has been\ndesignated as the project leader for the Bureau. Should these recommendations be referred to the\nOffice of Financial Management for the tracking of implementation activities, we request that the\nmultiple recommendations contained in the above-mentioned sections be consolidated into one\nrecommendation: migration of mainframe data processing to U.S.G.S.\n\nOur responses to the other recommendations contained in the report are provided below:\n\nSvstem Securitv Program: We recommend that the Assistant Secretary - Indian Affairs ensure that:\n\n1. The automated information system security function is elevated organizationally to at least report\ndirectly to the Director, Office of Information Resources Management; is formally provided with\nauthority to implement and enforce a Bureauwide system security program; and is provided staff to\nperform the required duties, such as providing computer security awareness training and performing\nperiodic risk assessments.\n\n\n                                                   26\n\x0c                                                                                      APPENDIX 2\n                                                                                      Page 3 of 4\n\n\n\n\nBureau Resnonse: The Bureau concurs with the recommendation. In conjunction with the transfer\nof mainframe data processing from the Bureau, some reorganization or redescription of positions\nwithin the Office of Information Resources Management will be necessary. As part of this\nreorganization/redescription, the position of Security Officer will be elevated to report directly to\nthe Director, OIRM. We will treat this position similar to that of the Bureau\xe2\x80\x99s Safety Officer who,\nwhile part of a headquarters organization, has authority extending beyond headquarters operations.\nThe target date for completion of the reorganization plan is October 1, 1997, with an effective\nimplementation date of December 1, 1997. Mr. Dale Bajema, Special Assistant to the Assistant\nSecretary and Mr. James Cain, Director, OIRM are the responsible officials.\n\n2. A separate security function is established to administer the Center\xe2\x80\x99s security.\n\nBureau Resnonse: The Bureau does not concur. We believe that this recommendation would be\nappropriate if the Bureau were to continue to operate mainframe data processing. Since that function\nwill be transferred to U.S.G.S., we believe that the Bureau Security Officer and his staffwill be able\nto manage the reduced security requirements of the Albuquerque OIRM site.\n\n3. A system security program is developed and documented which includes the information required\nby the Computer Security Act of 1987 and Office of Management and Budget Circular A-130,\nAppendix III, and that policies and procedures are implemented to keep the system security program\ncurrent.\n\nBureau Resnonse: The Bureau concurs with respect to those functions which will remain the\nresponsibility of the Bureau subsequent to the transfer of mainframe data processing to U.S.G.S.\n(e.g. telecommunications, local area networks and stand-alone microprocessors, and determinations\nas to sensitivity of data). The development of the policies and procedures will be the responsibility\nof the Bureau Security Officer, Mr. Jerry Belew. The policies and procedures will be completed by\nOctober 1, 1997.\n\n4. The Bureau\xe2\x80\x99s security personnel perform risk assessments of the Bureau\xe2\x80\x99s automated information\nsystems environment and, as appropriate, provide assurance that the necessary changes are\nimplemented to manage the risks identified.\n\nBureau Resnonse: The FY 1996 reduction-in-force eliminated OIRM staff capability to perform risk\nassessments. From the resources freed as a result of the transfer of data processing, and as part of\nthe reorganization/redescription discussed above, positions will be established to perform the\nnecessary risk assessments. Until such time as the reorganization/redescription is completed, we\ncannot identify a responsible official. The risk assessments will commence in July 1998 and the first\nassessment of all applications will be completed within 18 months of that date.\n\nPersonnel Securitv Policies and Procedures: We recommend that the Assistant Secretary - Indian\nAffairs ensure that personnel security policies and procedures are developed, implemented, and\nenforced, including those for obtaining appropriate security clearances for personnel in sensitive or\ncritical ADP positions and for informing the security staff, in writing, whenever employees who are\nsystem users terminate their employment or are transferred.\n         *:'( [OFF;.CE OF IBSPECTOX GENERAL NOTE: As stated in our report,\n                Reconmeildation A.2 ha:1 brfen deleted, and Reconmendations A.3\n                and A.4 have been renumbered as Reconnendations A. 2 and A.3,\n                respectively.]\n                                               2j\n\x0c                                                                                     APPENDIX 2\n                                                                                     Page 4 of 4\n\n\nBureau Resnonse: The Bureau concurs. As a result of the audit, a review was conducted of the\nsecurity clearances for those working at Operations Service Center; fully 2/3 did not have up-to-date\nclearances. The necessary information will be submitted to the Office of Personnel Management to\nconduct/update the clearances of the Operations Service Center staff by June 1, 1997; the responsible\nofficial is Mr. Jerry Belew.\n\nTo address the failure to delete user IDS when employees have transferred or have left the Bureau,\ntwo actions will be taken: (1) a report will be provided monthly to the Office of Information\nResources Management of employees who have transferred within the Bureau so that system access\ncan be reviewed and modified or revoked, if necessary; and (2) a report on employee terminations\nwill be provided monthly so that system access can be revoked.\n\nThe responsibility for providing the reports to the Operations Service Center will be placed with the\nPersonnel Office of the Office of Surface Mining as part of a reimbursable agreement that is in place\nto provide certain personnel support to the Bureau; the Acting Director, Office of Management and\nAdministration, Mr. Jim McDivitt is responsible for providing this direction to OSM. The\nresponsibility for revoking/modifying system access based upon the reports received rests with the\nBureau Security Officer, Mr. Jerry Belew.\n\nResource Classification: We recommend that the Assistant Secretary - Indian Affairs develop and\nimplement policies to classify the Bureau\xe2\x80\x99s computer resources in accordance with the results of\nperiodic risk assessments and guidance contained in Office of Management and Budget Circular A-\n130, Appendix III.\n\nBureau Resnonse: This recommendation is essentially the same as the fourth recommendation which\nwas made in the System Security section of the report. As indicated in our response to that\nrecommendation, we will begin the risk assessments in July 1998.\n\nSoftware Development and Change Control: We recommend that the Assistant Secretary for Indian\nAffairs ensure that policies andporcedures are developed and implemented w hich clearly identify\nthe individuals responsible and accountable for application development and changes.\n\nBureau Response: The Bureau concurs. OIRM is in the process of expanding and documenting\nimproved procedures in this area. This target date for completion is July 1, 1997; the responsible\nofficial is Mr. Dale Bajema, Special Assistant to the Assistant Secretary.\n\nAny questions regarding the Bureau\xe2\x80\x99s response may be directed to Mr. James Cain, Director, Office\nof Information Resources Management.\n\nAttachment\n\n[NOTE:    ATTACHMENT NOT INCLUDED BY OFFICE OF INSPECTOR GENERAL.]\n\n\n\n\n                                                  28\n\x0c                                                                    APPENDIX 3\n\n\n        STATUS OF AUDIT REPORT RECOMMENDATIONS\n\nFinding/Recommendation\n        Reference              Status                  Action Required\nA.l, A.2, A.3, B.l, C.l,   Resolved; not     No further response to the Office of\nD.l, D.2, E.l, F.l, G.l,   implemented       Inspector General is required. The\nH.l, and I.1                                 recommendations will be referred to\n                                             the Assistant Secretary for Policy,\n                                             Management and Budget for\n                                             tracking of implementation.\n\n          J. 1             Unresolved        Provide a response to the\n                                             recommendation. If concurrence is\n                                             indicated, provide an action plan\n                                             that includes target dates and titles\n                                             of officials responsible for\n                                             implementation. If nonconcurrence\n                                             is indicated, provide reasons for the\n                                             nonconcurrence.\n\n\n\n\n                                        29\n\x0c              ILLEGAL OR WASTEFUL ACTIVITIES\n                  SHOULD BE REPORTED TO\n            THE OFFICE OF INSPECTOR GENERAL BY:\n\n\nSending written documents to:                               Calling:\n\n\n                   Within the Continental United States\n\nU.S. Department of the Interior                        Our 24-hour\nOffice of Inspector General                            Telephone HOTLINE\n1849 C Street, N.W.                                    l-800-424-5081 or\nMail Stop 5341                                         (202) 208-5300\nWashington, D.C. 20240\n\n\n                                                       TDD for hearing impaired\n                                                       (202) 208-2420 or\n                                                       l-800-354-0996\n\n\n                   Outside the Continental United States\n\n\n                                  Caribbean Retion\n\nU.S. Department of the Interior                        (703) 235-9221\nOffice of Inspector General\nEastern Division - Investigations\n1550 Wilson Boulevard\nSuite 410\nArlington, Virginia 22209\n\n\n                                North Pacific Region\n\nU.S. Department of the Interior                        (700) 550-7428 or\nOffice of Inspector General                            COMM 9-011-671-472-7279\nNorth Pacific Region\n238 Archbishop F.C. Flores Street\nSuite 807, PDN Building\nAgana, Guam 96910\n\x0cToll Free Numbers:\n l-800-424-5081\n TDD l-800-354-0996\n                          5\nFTS/Commercial Numbers:\n (202) 208-5300\n TDD (202) 208-2420       I\n                          c\n\n\n1849 C Street, N.W.       E\n                          c\nMail Stop 5341\nWashington, D.C. 20240\n\x0c"